9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
PowerKVM is affected by vulnerabilities in Ruby . IBM has now addressed these vulnerabilities.
CVEID: CVE-2017-17790**
DESCRIPTION:** Ruby could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in the lazy_initialize function in lib/resolv.rb. By using a Resolv::Hosts::new argument beginning with a ‘’|‘’ character, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136550 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-17405**
DESCRIPTION:** Ruby could allow a remote attacker to execute arbitrary commands on the system, caused by flaws in the Net::FTP. By sending a specially-crafted command, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136460 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-14064**
DESCRIPTION:** Ruby could allow a remote attacker to obtain sensitive information, caused by an issue with using strdup in ext/json/ext/generator/generator.c during a JSON generate call. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to expose arbitrary memory on the affected system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131304 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2017-14033**
DESCRIPTION:** Ruby is vulnerable to a denial of service, caused by buffer underrun flaw in the OpenSSL::ASN1 decode function. By sending a specially crafted string, a remote attacker could exploit this vulnerability to cause the interpreter to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132046 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-10784**
DESCRIPTION:** Ruby could allow a remote attacker to bypass security restrictions, caused by a flaw in the WEBrick Basic authentication function. By sending a specially-crafted username, an attacker could exploit this vulnerability to inject escape sequence to the log files.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132045 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-0903**
DESCRIPTION:** RubyGems could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133521 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-0902**
DESCRIPTION:** An unspecified vulnerability in RubyGems, bundled by Ruby, could allow a remote attacker to hijack DNS sessions.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131229 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-0901**
DESCRIPTION:** RubyGems, bundled by Ruby, could allow a remote attacker to overwrite arbitrary files on the system, caused by an error in the gem installer. An attacker could exploit this vulnerability to overwrite arbitrary files.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131232 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-0900**
DESCRIPTION:** RubyGems, bundled by Ruby, is vulnerable to a denial of service. By sending a specially crafted query command, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131231 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-0899**
DESCRIPTION:** An ANSI escape vulnerability in RubyGems, bundled by Ruby, has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131230 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-0898**
DESCRIPTION:** Ruby is vulnerable to a denial of service, caused by a buffer underrun in the Kernel.sprintf method. By persuading a victim to open a specially-crafted application, a remote attacker could exploit this vulnerability to cause the interpreter to crash or access data from the heap.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)
PowerKVM v3.1
Customers can update PowerKVM systems by using “yum update”.
Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 13.
none
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C